The Zoom MFA implementation consists of two parts: first you deploy Gluu server with WWPass authentication and, second, you configure the Gluu server and Zoom to work together.

Part 1. Implement Gluu+WWPass server

You can find the software modules and instructions for Gluu+WWPass server implementaion in our GitHub project.

When done, proceed with the second part:

Part 2. Configure multi-factor authentication to Zoom with Gluu+WWPass IdP

Before you begin

While configuring SAML login, keep the Zoom admin account always open in two browsers. In case you made a configuration error and switch to non-functional SAML login, this second browser may help you to rollback.

Prerequisites

We assume you have administrative rights in your Zoom business account as well as in your company Gluu server. Throughout this manual we use

https://mygluu.com as a URL of Gluu server

https://mycorp.zoom.us as your Zoom Vanity URL

Substitute your own real addresses.

Zoom admin page

Login to your Zoom business account at https://mycorp.zoom.us

In the left column, select Advanced -> Single Sign On, click Enable button

Fill in the following parameters:

Sign-in page URL: https://mygluu.com/idp/profile/SAML2/POST/SSO

Sign-out page URL: https://mygluu.com/idp/profile/SAML2/POST/SLO

Service Provider Entity ID: mycorp.zoom.us

Issuer (IdP Entity ID): https://mygluu.com/idp/shibboleth

Binding: HTTP Post

Signature hash algorithm: SHA-256

Also check:

YES - Sign SAML request

YES - Sign SAML Logout request

NO - Support encrypted assertions

30 days - Enforce automatic logout after user has been logged in for 30 days

YES - Save SAML response logs on user sign-in

To fill the Identity provider certificate, go to https://mygluu.com/idp/shibboleth URL of your Gluu server. Select and copy the internals of signing certificate

Paste the text to the Identity Provider Certificate field of the Zoom SAML admin page.

Later on, when you are comfortable with SAML authentication to Zoom, you can set "Support Ecnrypted Assertions" to "YES" and reduce "Enforce automatic logout after user has been logged in for" to 30 minutes.

Next, select SAML Response Mapping tab and fill it as follows:

For reference, here are the oid values (Zoom sets these oids automatically):

Email address urn:oid:0.9.2342.19200300.100.1.3

First name urn:oid:2.5.4.42

Last name urn:oid:2.5.4.4

Display name urn:oid:2.16.840.1.113730.3.1.241

You can control Zoom user type (Basic, Licensed) directly from Gluu/AD by adding the user to the particular group. Scroll the page down to "SAML Advanced Information Mapping" and cofigure the "User type" entry: